I'm working on a legacy rails application and the controllers have many instances of params.permit!. When running a Brakeman scan on it, params.permit! opens up the application to mass assignment vulnerabilities.
My question is- what is the most effective way to get around this params.permit! vulnerability and replace it?
params.permit! whitelists all attributes leading to the vulnerabilities of mass assignment. The best way to get around this is by whitelisting only the necessary attributes like so
params.permit(:attr1,:attr2..)
Even better, use require with permit
Allows you to choose which attributes should be whitelisted for mass updating and thus prevent accidentally exposing that which shouldn't be exposed. Provides two methods for this purpose: require and permit. The former is used to mark parameters as required. The latter is used to set the parameter as permitted and limit which attributes should be allowed for mass updating.
params.require(:key).permit(:attr1, :attr2..)
I assume that someone added the params.permit! after a rails upgrade to avoid looking into "strong parameters" and setting it up correctly.
The correct way to fix this is by going through every controller and reviewing what params you need and want to permit for every action, and then using params.permit (without the exclamation mark) to set up the whitelist for permitted paramters:
https://apidock.com/rails/ActionController/Parameters/permit
I also found that using the to_unsafe_hash method on individual param calls will work and get around the Brakeman warning. Some info on the method here: https://apidock.com/rails/v4.2.7/ActionController/Parameters/to_unsafe_hash